GDPR Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between JetEmail Pty Ltd ("JetEmail", "Processor", "we", "us", or "our") and the customer ("Controller", "you", or "your") for the provision of email delivery services.

This DPA applies where and only to the extent that JetEmail processes Personal Data on behalf of the Controller in the course of providing the Services and such processing is subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR").

JetEmail implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

The Controller provides general authorization for JetEmail to engage sub-processors for the processing of Personal Data, subject to the following conditions:

• • JetEmail maintains a current list of sub-processors on our website
• • All sub-processors are bound by data protection obligations equivalent to this DPA
• • JetEmail remains fully liable for sub-processor performance
• • Controllers will be notified of any changes to sub-processors

The current list of sub-processors is available at: jetemail.com/legals/gdpr-subprocessors

JetEmail is located in Australia. Personal Data may be transferred to and processed in Australia and other countries where our sub-processors are located, primarily the United States.

For transfers to countries without an adequacy decision, JetEmail ensures appropriate safeguards are in place, including:

• • Standard Contractual Clauses with sub-processors
• • Certification schemes where applicable
• • Additional security measures as required

JetEmail will assist the Controller in fulfilling data subject rights requests where technically feasible and legally required. This includes:

• • Right of Access: Providing available Personal Data upon request
• • Right to Rectification: Correcting inaccurate Personal Data
• • Right to Erasure: Deleting Personal Data where legally required
• • Right to Restrict Processing: Limiting processing where applicable
• • Right to Data Portability: Providing data in a structured format

The Controller remains responsible for responding to data subject requests and determining the legal basis for any actions taken.

JetEmail will notify the Controller without undue delay after becoming aware of a Personal Data breach affecting the Controller's data. The notification will include:

• • Description of the nature of the breach
• • Categories and approximate number of data subjects affected
• • Likely consequences of the breach
• • Measures taken or proposed to address the breach

The Controller remains responsible for determining whether to notify supervisory authorities and data subjects as required by GDPR Articles 33 and 34.

JetEmail will:

• • Retain Personal Data only for as long as necessary to provide the Services
• • Delete or return Personal Data upon termination of the service agreement
• • Maintain Personal Data for legal compliance where required
• • Provide certification of deletion upon request

Standard retention periods are outlined in our Privacy Policy and may be customized based on Controller requirements and legal obligations.

JetEmail will:

• • Maintain records of processing activities as required by GDPR Article 30
• • Provide information necessary to demonstrate compliance with this DPA
• • Allow for and contribute to audits by the Controller or authorized auditor
• • Cooperate with supervisory authorities as required

Audit requests must be reasonable, proportionate, and conducted with minimal disruption to JetEmail's operations.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the main service agreement. JetEmail's total liability for all claims arising under this DPA shall not exceed the total fees paid by the Controller in the 12 months preceding the claim.

The Controller will indemnify JetEmail against claims arising from the Controller's breach of this DPA or applicable data protection laws.

This DPA will remain in effect for the duration of the service agreement. Upon termination:

• • JetEmail will cease processing Personal Data except as required by law
• • Personal Data will be deleted or returned as instructed by the Controller
• • Confidentiality obligations will survive termination

This DPA is governed by the laws of New South Wales, Australia. Any disputes will be subject to the exclusive jurisdiction of the courts of New South Wales, Australia.

For GDPR-specific matters, the relevant supervisory authorities maintain their jurisdiction as provided under the GDPR.

For questions regarding this DPA or data protection matters, please contact: